Totally understand, I'm not really a fan of service-managed encryption keys as a general rule vs. client-managed. I just thought I'd probe about capabilities considered stable before embarking on our own work. SSE-S3 would be a reasonable middle-ground. I appreciate the PR link, that's very helpful. On Tue, Feb 8, 2022 at 10:29 AM Casey Bodley <cbodley@xxxxxxxxxx> wrote: > On Tue, Feb 8, 2022 at 11:11 AM Casey Bodley <cbodley@xxxxxxxxxx> wrote: > > > > hi David, > > > > that method of encryption based on rgw_crypt_default_encryption_key > > will never be officially supported. > > to expand on why: rgw_crypt_default_encryption_key requires the key > material to be stored insecurely in ceph's config, and cannot support > key rotation > > > however, support for SSE-S3 > > encryption [1] is nearly complete in [2] (cc Marcus), and we hope to > > include that in the quincy release - and if not, we'll backport it to > > quincy in an early point release > > > > can SSE-S3 with PutBucketEncryption satisfy your use case? > > > > [1] > https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html > > [2] https://github.com/ceph/ceph/pull/44494 > > > > On Tue, Feb 8, 2022 at 10:44 AM David Orman <ormandj@xxxxxxxxxxxx> > wrote: > > > > > > Is RGW encryption for all objects at rest still testing only, and if > not, > > > which version is it considered stable in?: > > > > > > > https://docs.ceph.com/en/latest/radosgw/encryption/#automatic-encryption-for-testing-only > > > > > > David > > > _______________________________________________ > > > ceph-users mailing list -- ceph-users@xxxxxxx > > > To unsubscribe send an email to ceph-users-leave@xxxxxxx > > > > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |